Online Privacy Tools Don't Work Well, CMU Researchers Find

The IT industry has made progress in making opt-out tools for users to block online behavioral tracking but CMU CyLab researchers said they are too confusing to use effectively.

There's some bad news out of Carnegie Mellon University for Internet
users concerned about effectively managing their online privacy. The
online privacy management tools don't appear to work all that well,
researchers found.
CMU researchers observed 45 participants using nine tools that
supposedly limited online behavioral advertising or blocked access to
online advertisements and found that protections are "fundamentally
flawed." CyLab researchers released the report, "Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising," on Oct. 31.

The tools examined in the report included Web browser plug-ins such as
Ghostery, tools that rely on blacklists such as PrivacyMark and the
privacy features embedded in the latest Web browsers such as Mozilla
Firefox and Microsoft Internet Explorer. In most cases, users were
unable to configure the tools properly, thus reducing their
effectiveness, researchers found.

"We found serious usability flaws in all nine tools we examined," CMU CyLab researchers wrote in the report.
The online tools were challenging to understand and configure. As a
result users were "unable to make meaningful choices," researchers
found.

Users
struggled to install and manage blocking lists and often thought just
having the tools was enough to block online behavioral advertising, not
realizing they were disabled by default and had to be configured first,
the report said. A participant spent 47 minutes going through all the
opt-out instructions for one tool, which were available only in
Japanese, said Lorrie Cranor, director of CyLab, on an American Public
Media podcast.
Another tool included in the study, TACO, required a user to configure Targeted Ad Networks, Web Trackers and Cookies.
The
difference between the categories were not explained, most users "tend
to be unfamiliar," with how advertising companies work, researchers
said. The user had to click on three separate buttons that originally
didn't appear to be clickable to enable blocking, according to the
report. None of the study's participants managed to block all 630
targets the tool claims to be able to block.

"You may well have thought that Facebook's privacy controls are
unfathomable. These privacy tools, including the settings on common
browsers Internet Explorer and Firefox, are torturous," wrote Lisa
Vaas, on theNaked Security blog for Sophos.

Users liked the fact that browsers had built-in Do Not Track features,
but were "wary" of whether the advertising companies would actually
respect the setting, the report found. Internet Explorer 9 also
provides a "privacy slider" for users to adjust the level of privacy
protection, but it wasn't clear to the study participants what "low,"
"medium," and "high" meant in terms or what was blocked, the survey
found.

Internet users are increasingly becoming concerned about online privacy
in light of data breaches, aggressive data collection by Web companies
and reports of the government tracking user behavior and activity
online. CMU's CyLab found in a 2009 study that if given a choice, 87
percent of Americans "definitely would not" or "probably would not"
allow advertisers to track them online even if the data collected was
anonymized. The researchers in that study found that 64 percent of the
respondents found the idea of targeted ads invasive.

Many Web companies and marketing professionals have resisted attempts
by the government to regulate online tracking and proposed industry-led
mechanisms. A blanket opt-out, included in various privacy and "do-not-track"
bills currently making rounds in Congress, would impede innovation and
the company's ability to individually tailor services for their
customers, according to Steve Minichini, president of interactive at
media agency TargetCast.

The industry is "policing itself," and the government shouldn't try to
dictate how to handle consumer preferences," Minichini told eWEEK earlier this year. A government-enforced legislation was "unnecessary" and would be "too restrictive," he said.

However, CMU researchers concluded that users were getting incomplete
protection, if any, against Web sites and online advertisers intent on
tracking user behavior using these industry-led tools.